“Okta knew and didn’t disclose it for months AWS-style” and “Okta didn’t know” are both extremely terrifying. - Corey Quinn, https://twitter.com/QuinnyPig/status/1506120181839409159?t=y...

They are simply looking into it. Not offering unwarranted speculation or conjecture. Not providing any information that could assist attackers. And not being unreasonably dismissive, nor downplaying it.

I really don't see the problem with their response. What would you propose in the circumstances?

It's just one of those responses that's not actually a response. It's the only response you can give, and you only give it because you're forced to give a response. It's a noop.

Then I wonder why it is remarkable? The absence of a response may be worth commenting on, but this seems fairly unimpeachable.

It's distinguishable from a noop because some information is imparted, namely that a) they are aware of the issue and b) that they have formed a preliminary view it warrants a response.

What else do you expect them to say? Put yourself in their shoes for a moment.

It’s perfectly okay to not say anything prematurely that can cause any confusion; with the employees, customers, and media.

All eyes are on them; it’s better not to screw up whatever little trust they have left.

What else would they respond?

If, for example, the screenshots didn't actually look like their internal admin interface (and so were obviously doctored), they would probably say something to that effect in the initial post. The fact that they're merely "looking into it" implies the information they have so far makes them think this at least could be a real hack.